Channels

Services

DigiNotar attackers got over 500 certificates

As more details of the compromise of the DigiNotar certificate authority (CA) are revealed, it is becoming clear that hundreds of certificates for many sites were issued. Over the weekend, the Tor project received a spreadsheet from the Dutch Government which listed the 531 SSL certificates which are currently known to be bad. Among the certificates were multiple instances of intelligence agency domains such as www.sis.gov.uk (MI6), www.cia.gov and *.mossad.gov.il. Other sites included microsoft.com, windowsupdate.com, login.live.com, skype.com, facebook.com, twitter.com, aol.com, logmein.com and android.com.

Wildcard certificates were also issued for "*.*.com" and "*.*.org" and are described as "the most egregious certificates", likely to be accepted by many browsers. But there were also certificates in the names of other CAs such as "VeriSign Root CA", "Thawte Root CA" and "Equifax Root CA"; the Tor developers are unable to tell if any intermediate certificates were generated from the "Root CA" certificates. The list confirms last week's report that certificates for google.com, wordpress.com, addons.mozilla.org, login.yahoo.com and torproject.org had been generated.

The total volume of certificates is surprising. Initial estimates, based on the changes to the Google source code, suggested there were only 247 false certificates. It is now the most serious failure of a CA ever, yet it is still unknown who was behind the attack and how many of the certificates were used for monitoring internet users. It is only known that Google Gmail traffic in Iran was being spied on.

A clue to the author of the hack may be in a certificate that was issued for the bogus domain of RamzShekaneBozorg.com. This appears to be a "calling card", according to the Tor posting and comments. "RamzShekaneBozorg" translates from Farsi to "Great Cracker" while the certificate holder "Hameyeh Ramzaro Mishkanam" means "I will crack all encryption".

There is also increasing consternation among affected domain owners since DigiNotar has not been in direct contact with them. The Mozilla developers have criticised the compromised certificate authority harshly, with Gervase Markham saying: "Incidentally, it is my personal view that public statements by both Vasco and DigiNotar about the extent of and effect of this compromise have been, at best, incomplete and at worst actively misleading."